Proof Positive that Lindell was Conned

The truth or falsity of a statement is often concealed at first, yet patient analysis can uncover what is hidden.

Mike Lindell, the CEO of MyPillow, released a video about voter fraud. He makes many claims, but I want to show my analysis of the data at the end— what he calls “proof positive” that China hacked the election.

His source is an article at The American Report (archive link) with the title “EXCLUSIVE: Proof China, Russia Hacked 2020 Election.” This article contains only a screenshot of the data, but it links to blxware.org. The data is not actually on blxware but instead on electionrecords.com, to which blxware used to link. The site quietly removed the chart but not before it was captured by the Internet Archive here. (The whole site now returns an error message.)

When the data is sorted by the timestamp, there are many odd patterns that stand out:

1. With a few exceptions, the states are sorted alphabetically.
2. With a few exceptions, the targets are sorted alphabetically by the owner’s name.
3. Many source IP addresses are sorted numerically. (See lines 7–16, 17–23, 24–33, 40–44, and 62–65.)

So the Chinese hackers must have thought to themselves: “Using our hacking resources, let’s attack an election site, sometimes jumping to our next resource sorted by IP address, and let’s make sure to attack the states in alphabetical order and even to attack each county within each state in alphabetical order too.” This seems improbable for a nation-state attacker.

With that strange pattern in mind, let’s jump to technical errors in the data:

1. Record n_000003 inaccurately lists 192.3.12.123 as Huawei but it’s not even in China. That IP is located in the United States, a part of ASN AS36352 which is registered to a U.S. company called ColoCrossing based in New York.
2. Record n_000004 inaccurately lists 192.3.10.220 as Huawei Headquarters. This IP also belongs to ColoCrossing in New York.
3. Record g_00002 inaccurately lists 91.222.136.6 as KYIV, UKRAINE (presumably this stands for Kyivstar, the Ukrainian internet service provider), but that IP is owned by Delta-X LTD, a Ukrainian hosting company.
4. Record n_000009 inaccurately lists 52.84.112.70 as “Philadelphia county of elections” but, according to its TLS certificate, that IP address is hosting a subdomain of animelo.jp, a Japanese anime site.
5. Record m_00007 inaccurately lists 34.236.48.18 as the “Livingston county clerk” but the Livingston county website resolves to 52.4.212.217. Instead, according to its TLS certificate, this IP is a subdomain for huggy.app, a Brazilian communication app.
6. Record g_00003 inaccurately lists 99.83.200.251 as “Colquitt county election supervisor” in Georgia but the Colquitt county website resolves to 3.231.123.127. Instead, the TLS certificate for 99.83.200.251 is for the City of McAlester (www.cityofmcalester.com) in Oklahoma.
7. Record g_00004 inaccurately lists 184.86.103.196 as Columbia county, but Columbia County’s website resolves to 23.194.190.176. Instead, 184.86.103.196 hosts the website of a Swiss chemical company called PanGas.
8. Record g_00006 inaccurately lists 2.16.186.177 as Coweta County but their website actually resolves to 23.194.190.160. Instead, 2.16.186.177 belongs to Akamai, the CDN company in Boston.
9. Record g_00009 inaccurately lists 162.221.183.17 as Dawson County, but their website resolves to 50.28.0.27. Instead 162.221.183.17 hosts the websites of the city of Woodside in California and Jefferson County in Oregon.
10. Record g_00014 inaccurately lists 13.224.194.110 as Dougherty County, but their website resolves to 13.35.77.109. Instead 13.224.194.110 hosts a site for Coke, the drink company.

There are more technical errors, but that’s sufficient to demonstrate a trend.

With these errors in mind, let’s ask more important questions of the data:

1. Does finding a Chinese IP address in your server logs mean you were hacked by the Chinese government? No. There are other possibilities to consider: (a) a non-malicious user from that country visited your site; (b) someone from that country was using masscan to scan the whole internet and hit your site because it’s on the internet; (c) the IP address was spoofed; (d) someone from an entirely different county visited your site using a Chinese proxy.
2. To elaborate on (c), spoofing IP addresses is easy. In fact, here’s a 3-line program I wrote to spoof an IP address from that list. Run this program against any server to add a Chinese IP address to their log files! That is, if they log all IP packets.
3. To elaborate on (d), one common way to conceal your IP address is to run a VPN server. With cloud hosting providers so common (AWS, Azure, Linode, Hostgater, DreamHost, etc.), anyone in the world can spin up a virtual machine located anywhere in the world, install OpenVPN, connect over Tor, and conduct an attack that is very difficult to attribute correctly. And at least 30% of the IP addresses in the source list are cloud hosting providers. Thus the existence of VPNs falsify Lindell’s belief that if your server shows a visit by an IP address in country X, then the government of country X is trying to hack you.
4. According to record m_00005, 12 seconds after the Chinese unsuccessfully attacked Lapeer county in Michigan, the pro-Trump Russian government (via Kaspersky) hacked the election in Leelanau, Michigan to decrease Trump’s votes. How did the Russians know which Michigan county to attack in order to maintain the Chinese’s alphabetically sorted attack? Exactly 2 seconds later the Chinese (in Hong Kong) tried but failed to hack the election in Lenawee, Michigan. Then 9 seconds later the Germans (via a German university) hacked the election in Livingston, Michigan — coincidentally, also maintaining the Chinese’s alphabetically sorted attack. Then 10 seconds later the Canadians jump in and hack Luce, Michigan, followed only 8 seconds later by the Czech hack in Mackinac, Michigan. Either this is a coordinated alphabetically sorted international attack, or it’s a single actor using multiple VPNs (thus coming from anywhere), or all this data is trash.
5. None of the MAC addresses in the ID columns are known MAC addresses. A MAC address is used to identify specific network interface cards (e.g., a specific Wifi, Ethernet, or bluetooth interface). If I run the Linux `ifconfig` command on my Raspberry Pi, I can see the MAC address is b8:27:eb:62:d5:0c. If I lookup the manufacturer, I can see that the Raspberry Pi Foundation owns the MAC prefix B8:27:EB. This means all MAC addresses that begin with B8:27:EB were created by the Raspberry Pi Foundation. Similarly, the MAC address of the Wifi interface of an old iOS device I have begins with F0:DB:E2. Unsurprisingly, the manufacturer is Apple. Yet not a single MAC address in either column belongs to a registered manufacturer.
6. The IP addresses in the Source column (e.g. 199.224.22.10 for Allegheny County) appear to be each county’s generic website. Basic information about parks, covid restrictions, transportation, police announcements, careers, elections, education, real estate, court records, historical interests, fire departments, and other government-related information. What evidence is there to believe that any county uses these generic websites to count votes?

Because this data presents false information and is relevant only under false assumptions, I dug into who owns the blxware and electionrecords websites. If you browse these websites in the Internet Archive (link), you’ll find links to the owner’s account on GiveSendGo, a Christian crowdfunding site. Following that link leads you to his GiveSendGo page.

Notice who’s getting this money: Dennis Montgomery.

For reference, Dennis Montgomery:

1. Conned the CIA with a program that pretended to find hidden terrorist messages.
2. Created fake emails to start an FBI investigation into his old business partner.
3. Created fake data to con the conservative sheriff Joe Arpaio out of $120,000.

For all these reasons, the most reasonable interpretation here is that this data is fabricated.

Of course, you can’t really blame Mike Lindell for being conned by a man who fooled CIA agents. I’m sure that under the right conditions Dennis could fool me too. In this age of fake news and active disinformation, heightened skepticism and a close analysis of the evidence is always warranted.